Computer intrusion detection system and method based on application monitoring

Abstract

An intrusion detection system (IDS) that uses application monitors for detecting application-based attacks against computer systems. The IDS implements application monitors in the form of a software program to learn and monitor the behavior of system programs in order to detect attacks against computer hosts. The application monitors implement machine learning algorithms to provide a mechanism for learning from previously observed behavior in order to recognize future attacks that it has not seen before. The application monitors include temporal locality algorithms to increased the accuracy of the IDS. The IDS of the present invention may comprise a string-matching program, a neural network, or a time series prediction algorithm for learning normal application behavior and for detecting anomalies.

Description

[0001]This application claims the benefit of U.S. Provisional Application No. 60 / 161,914, filed Oct. 28, 1999, which is herein incorporated by reference in its entirety.[0002]The U.S. Government has a paid-up license in this invention and the right in limited circumstances to require the patent owner to license others in reasonable terms as provided for by the terms of Contract Nos. DAAH01-97-C-R095; DAAHO1-98-C-R145 and F30602-97-C-0117, each awarded by the Defense Advanced Research Projects Agency (DARPA).BACKGROUND[0003]1. Field of the Invention[0004]The present invention relates to computer intrusion detection systems, and more particularly to intrusion detection systems based on application monitoring to identify known and novel attacks on a computer system.[0005]2. Background of the Invention[0006]Intrusion detection systems (“IDSs”) generally take advantage of the extensive auditing capabilities inherent in many computer operating systems and other auditing facilities which m...

AI Technical Summary

Benefits of technology

[0019]The present invention provides a class of intrusion detection systems and methods based on application monitoring using machine learning techniques providing reduced false positive and false negative rates. The present invention comprises two aspects of improved IDSs based on application monitoring. In a first aspect, the present invention provides an improved system and method for anomaly detection ...

Problems solved by technology

A drawback to such user-based IDS is that a user may slowly change his or her behavior to skew the profiling system such that intrusive behavior is deemed normal for that user.

Moreover, user-based IDSs raise privacy concerns for users in that such a surveillance system monitors users' every move.

That is, if the system labels a behavior as intrusive, there is a high probability that an attack is present.

While misuse systems provide a fairly reliable way of detecting known attacks against systems, they can have a high false positive rate.

That is, when even slight variations of known attacks are encountered, a misuse detection system will likely mislabel the behavior as normal.

Because known attack signatures can be varied in countless ways, this makes detection of even known attacks a daunting problem.

Moreover, a misuse detection approach cannot detect novel attacks against systems, of which there are new ones developed on a continual basis.

However, a disadvantage of anomaly detection systems is their inability to identify the exact nature of the attack.

An anomaly detection system can only detect that the behavior observed is unusual, such as might constitute an attack, but cannot identify the attack.

Moreover, anomaly detection systems have been prone to excessive false positive identifications because any departure from normal operations is flagged as a possible attack, as discussed below.

A drawback, however, to using an equality matching algorithm for intrusion detection is the inability to generalize from past observed behavior.

That is,...

Images